This TechNote has a good breakdown and illustration of how the Posture flow works for both Pre-2.2 and Post-2.2. You can see how the redirect to the Client Provisioning Policy is build into the overall Posture flow.
Regardless of whether you pre-deploy the Posture agent via software management tools, ISE still does a check against the CPP to determine what agent it needs to check for (NAC Agent, AnyConnect, Temporal, etc) on the client.
Thank you for he TechNote, I have Gone through the document, its very well explained.
I have a doubt, in the Posture Flow for Pre-2.2.
In Step 20 and 21 it states Posture module is the one that Initiates Policy Server Detection by sending Probes and established Connection to the CPP.
and in Step 26 its States that Posture Module Collects information about the system(OS Version, Installed Security products and their Definition Version) this collected information(Report) is sent to ISE.
ISE makes the Endpoint Compliance Status decision based on the report. Till here every thing is well and good.
My doubt is what is the use of "Compliance Module" ? also we use the Compliance Module while creating Posture policy.
As posture module is the one that is collecting information and sending it to ISE.
Both are needed as part of the Posture function. The Posture module is essentially the agent and front-end, while the Compliance module mostly provides a library for the assessment and remediation of various 3rd-party products (e.g. anti-malware, patch management, disk encryption, etc.)
Newer versions of the Compliance module typically add support for new vendor products or versions.
You can see the support charts for the various versions of the Compliance Module here:
In the below possible scenarios how ISE determines posture status based on which condition.
1.Both Client Provisioning and Posture Policies are present – The compliance status is determined based on the posture check
2. Client Provisioning is missing and Posture Policy are Present - The compliance status is determined based on the posture check
3.Client provisioning policy is present, Posture policy is missing - How Compliance status is determine for this
(++ default Posture Status is set to Non-Complaint in Posture Setting)
4. Both Client Provisioning and Posture Policies are missing. How Compliance status is determine
Here we have the following options:
(++ default Posture Status(Administration -> System -> Settings -> Posture -> General Settings) is set to Non-Complaint what will be the Status ?
(++ default client provisioning configuration (Administration -> System -> Settings -> Client provisioning, “Native Supplicant Provisioning Policy Unavailable” option is set to “Apply defined authorization policy”). what will be the Status ?
(++ if we change “Native Supplicant Provisioning Policy Unavailable” to “Allow network access”) what will be the Status ?
In our environment user unlock the screen when they are off shift, so the same session will be there for the user as the endpoint has not got disconnected from network.
So, If a user doesn’t get disconnected from network how long ISE keep the Posture Status as Complaint in its database, as Posture lease is set to “ Perform Posture assessment every time a user connects to the network”
As per the Cisco Document Posture Process is Launched in below Situations
1) After Network Interface status (up/down)
2) Default gateway change
3) System restart
In our Environment sometimes the above 3 situations will not match for more than a week or two, along with that Periodic Re-assessment is not configured, so how long ISE keep the posture status of an Endpoint, does ISE have any default Posture time for the Endpoints ?
Since PRA is not configred. AS long as the radius Session stays up the posture session information stays the same and there is no change in state
perhaps the device or nic is going to sleep.
you need to look at the logs for a session change and perhaps get a DART file when it happens to debug further with tac